Recent software vulnerabilities, like Heartbleed, Shellshock and Bash, get an awful lot of press and, when exploited, can cause devastating damage to businesses. In reality however, there is a far greater threat to the security of your corporate data lurking much closer to home.
Sleeping with the enemy
Studies have repeatedly shown that weak passwords are in fact the biggest threat to corporate data security. The 2014 Trustwave Global Security Report found that weak passwords were responsible for at least 31% of system intrusions. In 2013 they also reported that weak passwords were the method of attack propagation, once an initial intrusion had been made, in a shocking 80% of cases.
Nothing could be more important to individual and organisational security than its passwords. For an individual, if a hacker gets access to just one email account, their whole world can be compromised - the hacker resetting passwords for ecommerce sites, social media accounts and online banking. For a company, a single compromised mailbox can be the beachhead from which to launch a devastating attack.
How secure is a password?
Unfortunately, misconceptions around password security are not helping matters.
Many users wrongly believe that a password consisting of a complex mix of character types is the most secure. Sadly, these supposedly secure passwords are also incredibly hard to remember, leading users to simplify their 'complex' passwords, using common word combinations and the fewest number of characters permitted. In actual fact a password that is difficult for a human to remember is simple for a computer to crack.
Also in an effort to combat problems recalling passwords, users frequently use variations of the same password on multiple websites. This only worsens the situation since a hacker only needs to crack one password to be in with a good chance of gaining access to many accounts.
A true measure of password strength
Password entropy is the measure of the computational strength of a password. Entropy is based on the number of bits in a password, the higher the bits the greater the strength, and is a measure of how long a computer-led brute force attack would take to guess the password. One character of text is 8 bits, so a password consisting of 8 characters, a common minimum, has 64 bits. Although this may sound like a lot, in computational terms, it is actually quite weak. You are right to therefore conclude that simply increasing the number of characters in your password will make it harder for hackers to crack.
Passphrase - a better alternative to passwords
Use of a passphrase, a combination of a number of easy to memorise every day words, is therefore an effective method of increasing entropy. Thanks to their length, the actual strength of a passphrase can be orders of magnitude greater than their poor cousin, the simple password.
If recollection poses a concern, there is no harm in using a line from a favourite song or a memorable quote as the basis of a passphrase. Though this may seem counter intuitive. After all it’s the length that counts. If you chose to add in numerals and symbols, it will only make your password even more secure - particularly against non-computational attacks such as those based on confidence or familiarity with the target.
Multi-factor – even better again
Multi-factor authentication is stronger again than even a high-entropy passphrase and should be used whenever possible. Multi-factor authentication mitigates the threat of password vulnerability by calling for information from up to two other sources; either something you own or something you are. Examples are online banking dongles and fingerprints respectively.
Unfortunately for businesses, multi-factor isn’t a possibility when logging into wide range of components of your IT infrastructure, such as cloud servers, firewalls, databases, etc. VPNs and end-points like laptops, tablets and phones can all be secured with multi-factor, but most are not.
Password managers to the rescue
Multi-factor or not, it's well known that digital workers are having to create more and more passwords all the time. The demands created by making password secure (in theory), unique and compliant with differing policies (in terms of length, character types and acceptable/unacceptable symbols) is leaving the employee of today with tens if not hundreds of passwords to recall. Many take the measure of writing them all in one document - rendering the whole lot worthless in security terms.
This is where the services of secure password managers like LastPass, the market leader, provide the solution. Storing your login credentials for every website, as well as those for devices along with credit card info, passports and the like, in an encrypted database, LastPass removes the need to remember each and every one, without making them visible to prying eyes. The whole lot is then accessed using one master password. This of course should be ultra-secure, i.e. long with high entropy, and can even be reinforced with a range of multi-factor options.
Protecting your business from the threat of weak passwords
To protect your cloud infrastructure, and your business, from the threat presented by weak passwords, we recommend a couple of things:
• Educate everyone in your business about the real security of passphrases vs passwords and encourage them to change theirs. Enforce this on their end-points if within your power. A simple change of attitude here will go a long way toward securing your business.
• Change the passwords on the devices within your infrastructure to comply with the same recommendations
• Use multi-factor authentication whenever available
• If passphrase recall is a concern, invest in an enterprise password manager - they are not expensive and can protect you from untold potential losses and damage if weak passwords are cracked and hackers get access to your systems
In addition, use of passphrases and password managers are both transferrable skills that are just as effective for securing your valuable personal data as they are that of your business.